Create a new folder to store certs and keys:
sudo mkdir /etc/apache2/ssl
Generate the CSR and Key files:
sudo openssl req -new -newkey rsa:2048 -nodes -keyout /etc/apache2/ssl/mydomain.key -out /etc/apache2/ssl/mydomain.csr
Use the CSR to request new SSL certificate files.
Place the new certificate files inside /etc/apache2/ssl
Give ownership of the directory and files to root:
sudo chown -R root:root /etc/apache2/ssl
Change the permissions of the certs/bundle/key files to 400
Then set the folder permissions to 500
NOTE: When the files are up for renewal you will need to change the write permissions on the ssl folder.